Todoist extension is sending all the sites a user visits to a webapp hosted on an insecure server

RESOLVED FIXED in 44.2

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: mossop, Assigned: jorgev)

Tracking

unspecified
44.2
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [qa-])

(Reporter)

Description

3 years ago
I'm not sure if this should be a blocklisting thing, or a case where we get them to update their code. At the very least seems like they should be required to have a privacy policy.

I was looking in my browser console and discovered a startling number of unsafe CPOW warnings coming from Todoist even when not interacting with Firefox in any way. Looking at the code I found this gem:

setInterval(function() {
  var frame_href = XULTodoistFirefox.TODOIST_ELM.contentDocument.location.href;

  if(frame_href.indexOf('/app') != -1) {
    if(XULTodoistFirefox.last_location != content.location.href) {
      var data_to_send = {};
      data_to_send['href'] = content.location.href;
      data_to_send['title'] = content.document.title;
      data_to_send['type'] = 'T_FIREFOX_MESSAGE';

      var data_to_string = JSON.stringify(data_to_send);
      XULTodoistFirefox.TODOIST_ELM.contentDocument.defaultView.postMessage(data_to_string, '*');
      XULTodoistFirefox.last_location = content.location.href;
    }
  }
}, 300);

For context Todoist opens a sidebar showing a slim version of their webapp. Once opened this interval starts and every 30ms it grabs the url and title of the current opened tab and if it differs from the last uses postMessage to send it to the webapp. Also the webapp is hosted on an insecure webserver. Also it does this even if the sidebar is closed.

Marking as security sensitive for now since this allows a MITM attack to get any Todoist user's browsing data.
(Reporter)

Comment 1

3 years ago
I should add that there doesn't seem to be any good reason why they would need to see every url the user visits. The sidebar has an option to create a task from a website which would need the url but that could be requested when needed.
(Assignee)

Comment 2

3 years ago
Thanks. I sent a message to the developer via AMO, giving them some time to fix the add-on. If they don't comply within two weeks, the add-on will be blocked. If the add-on is updated to a safe version, we will block the old versions once most users have updated.
Assignee: nobody → jorge
(Assignee)

Comment 3

3 years ago
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i1030
Group: addons-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
Target Milestone: --- → 44.2
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.